← Back to blog

What is an SSL certificate and how does it actually work?

An SSL certificate is what puts the padlock in your browser and encrypts the connection between your website and its visitors — here is what it does, why it matters, and what happens when it expires.

Here's a scenario that plays out often enough to be a pattern, not a one-off: a small business owner wakes up to messages from clients saying their website is showing a security warning. Nothing was hacked. No data was taken. The SSL certificate expired overnight, and now every browser visiting the site is displaying a full-screen warning telling visitors the connection is not private. The business is losing enquiries not because of an attack, but because of an administrative task nobody scheduled.

An SSL certificate is the thing that makes the padlock appear in the browser address bar. It's also the thing that, when it expires, makes that padlock disappear and the warnings appear in its place. Understanding what it does and how to keep it working properly is basic infrastructure knowledge for any business with a website.

What an SSL certificate actually does

SSL stands for Secure Sockets Layer, though the protocol in actual use today is its successor, TLS, or Transport Layer Security. The terms are used interchangeably in everyday usage, and when people say SSL they almost always mean TLS in practice.

The certificate does two things. First, it enables encryption of the connection between your website and the visitor's browser, meaning that data sent between them, form submissions, login credentials, payment information, cannot be intercepted and read by someone in between. Second, it verifies that the website a visitor is connecting to is actually the website it claims to be, rather than an impersonating page sitting between the visitor and the real site.

That second function is what the certificate's chain of trust provides. Your SSL certificate is issued by a Certificate Authority, a trusted third party whose job is to verify that you control the domain the certificate is issued for. Browsers trust a set of recognised Certificate Authorities, and when your certificate checks out against that chain, the padlock appears.

Why every website needs one

Browsers have made this non-negotiable in practice. Any website without a valid SSL certificate receives a "not secure" warning in the address bar, and any page attempting to collect form data without one triggers a more prominent warning still. This isn't a security recommendation, it's the baseline expectation of every browser your visitors use.

Beyond browser warnings, HTTPS is also a ranking signal in Google search, and many third-party integrations, payment processors, form tools, analytics platforms, require a secure connection as a prerequisite for functioning at all.

What happens when an SSL certificate expires

Certificates are issued for a fixed period, currently a maximum of around 13 months for publicly trusted certificates, after which they need to be renewed. If renewal doesn't happen before the expiry date, the certificate becomes invalid the moment it expires, and browsers begin displaying warnings to every visitor immediately.

There's no grace period. An expired certificate at 11pm on a Tuesday looks exactly the same to a visitor's browser as no certificate at all. This is why renewal processes matter: a certificate renewed a week before expiry is fine, one renewed a day after is a problem that's already caused damage.

How to make sure yours stays current

Most hosting providers and platforms offer automated certificate renewal, either through Let's Encrypt, which issues free certificates automatically, or through their own renewal systems. If yours is automated, verify that the automation is actually working rather than assuming it is — an automated system that silently fails still results in an expired certificate.

If your renewal is manual, Olimpio monitors SSL certificate expiry as part of its ongoing scan and will flag a certificate approaching its expiry date before it becomes a problem, giving you time to act rather than finding out from a client message.

Frequently asked questions

Is a free SSL certificate from Let's Encrypt as good as a paid one? For encryption purposes, yes. Let's Encrypt certificates provide the same level of encryption as paid certificates. The difference with paid certificates is typically additional validation tiers, like Extended Validation, which display a company name in some browsers, or insurance against certain certificate-related incidents — neither of which most small businesses need.

Do I need a separate SSL certificate for every subdomain? A wildcard certificate covers a domain and all its subdomains with a single certificate; a standard certificate typically covers one specific domain and optionally www. Whether you need a wildcard depends on how many subdomains your setup uses.

Can I check when my SSL certificate expires? Yes, clicking the padlock in your browser address bar shows certificate details including the expiry date, or a scan will surface this information alongside a flag if expiry is approaching.

Does an SSL certificate protect my website from being hacked? It encrypts the connection between the server and the visitor, but it doesn't protect against vulnerabilities in the website itself. It's one layer of a broader security picture rather than a comprehensive protection.

What is the difference between HTTP and HTTPS? HTTP is the unencrypted version of the protocol used to load web pages. HTTPS is the encrypted version, enabled by an SSL certificate. Any website you visit with a padlock in the address bar is using HTTPS.

Run a free scan of your domain to check your SSL certificate status, expiry date, and the rest of your external security configuration in one place: olimpio.io/free-scan

Want to see what attackers see?

Scan your domain for free — no setup, no technical knowledge needed, results in ~20 minutes. No card required.

Get your free scan →